Join our community for free to access exclusive whitepapers, reports, and regulatory information.
By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.
Already have an account? Log in
Data protection in Malaysia is primarily governed by the Personal Data Protection Act 2010 (PDPA) and subsidiary legislation as outlined below. The PDPA purports to safeguard personal data by requiring data users to comply with certain obligations and conferring certain rights to the data subject in relation to their personal data.
Primary legislation
Prior to 2010, the regulation of personal data was governed mainly by industry-specific legislation. Industry-specific legislation with respect to data protection exists in the banking and finance, healthcare, and telecommunications industries, among others. In May 2010, the PDPA was passed by the Malaysian Parliament and received Royal Assent in June 2010. The PDPA came into force on November 15, 2013, with a three-month grace period ending on February 14, 2014.
Subsidiary legislation
Together with the PDPA, five pieces of subsidiary legislation were also enforced on 15 November 2013. These address issues such as the appointment of the Personal Data Protection Commissioner (the Commissioner), the registration of data users, and the fees that may be imposed under the PDPA. This subsidiary legislation was passed simultaneously in order to facilitate the enforcement of the PDPA.
The subsidiary legislation that has been passed to date includes:
Other subsidiary legislation pertains to the appointment of the Commissioner.
The Commissioner has issued the Personal Data Protection Standard 2015 (the 2015 Standards) which came into force on December 23, 2015. The 2015 Standards include security standards, retention standards, and data integrity standards, which apply to personal data that is processed electronically and non-electronically. The 2015 Standards are intended to be 'a minimum requirement' and will apply to all data users, meaning any person who processes, has control of, or allows the processing of, any personal data in connection with a commercial transaction.
Industry codes of practice
Data user forums were formed for specific industries, in particular the communications, banking and finance, insurance, hospitality, transport, direct sales, professional services, and utility sectors. Each data user forum was directed by the Commissioner to develop its own codes of practice for adherence by data users in the respective sectors.
The Department of Personal Data Protection (PDP) has released a number of guidance documents and Frequently Asked Questions (FAQs) on its website on various matters under the PDPA and its subsidiary legislation.
In January 2022, the PDP issued the Guide to Prepare Personal Data Protection Notice (Guide to prepare PDP notice), which serves as a reference to data users in micro, small, and medium enterprises.
Provisions under the PDPA have been considered in Malaysian courts in several cases.
The majority of the reported cases considered the application of the general exemption of Section 45 of the PDPA. For example, in Newlake Development Sdn Bhd v Zenith Delight Sdn Bhd & Ors (No 2) [2021] 7 CLJ 88, it was held that if a court rules that the documents in question were relevant and admissible, the PDPA cannot be used as a shield to prevent such documents from being produced at trial under the guise of personal data protection.
Notably, in December 2021, the High Court held that the PDPA does not allow the Director-General of the Inland Revenue Board of Malaysia to make blanket demands for personal data in view of the protections afforded to data subjects under the PDPA (Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors [2021] MLJU 2847). Such requests for data must be made in accordance with the law, and it should be ensured that the request satisfies the test of necessity, in that 'the interference with the rights of data subjects must be proportionate to the reality as well as to the potential gravity of the public interests involved,' and 'there must also be a specific instance as contemplated by the statute and not a general sweeping and inconsistent reasons for the disclosure to be given.'
This case is significant as this is the first formal challenge in respect of the powers of law enforcement authorities to request for disclosure of personal data.
Apart from reported cases, it has also been reported on the PDP's website that enforcement actions in the form of penalties have been taken against entities in various sectors, namely tourism, education, and services sectors, for failure to register as data users and, in one case, for failure to obtain the requisite consent from the data subject.
The PDPA applies to any person who processes or has control over the processing of personal data (referred to as 'data user'). It is pertinent to note that processing is defined widely under the PDPA to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data.
Furthermore, only individuals are referred to as data subjects under the PDPA.
The PDPA also contains specific provisions for data processors. A data processor that processes personal data solely on behalf of a data user may not be bound directly by the provisions of the PDPA, but rather, it is the duty of the data user to ensure compliance by the data processor with the relevant provisions under the PDPA.
The PDPA does not apply to personal data processed outside Malaysia unless the data is intended to be further processed in Malaysia, and it also does not apply to a data user who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data, other than for the purpose of transit through Malaysia. The Government of Malaysia (the Government) and state governments are also exempted from the application of the PDPA along with any information processed for the purposes of a credit reporting business under the Credit Reporting Agencies Act 2010.
The PDPA covers processing in relation to personal data defined as collecting, recording, holding, or storing of personal data, or carrying out of any operation or set of operations on personal data, including:
Personal data processed only for the purposes of that individual's personal, family, or household affairs, including recreational purposes, are exempted from the PDPA.
However, the following are exempted from certain, but not all, data protection principles under the PDPA in some circumstances:
The PDP is an agency under the Ministry of Communications and Digital (MCD). It was officially launched by the Minister in Kuala Lumpur on February 12, 2012. The PDPA came into force on December 15, 2013.
The main responsibility of the PDP is to enforce and regulate the PDPA in Malaysia, and it focuses on the processing of personal data in commercial transactions and avoiding the misuse of personal data. In enforcing the PDPA, the Commissioner has also been mandated to register all classes of data users under the Order.
The Commissioner has the power to carry out inspections of data protection systems under the PDPA. Furthermore, the 2013 Regulations provide that the personal data system must, at all reasonable times, be open to the inspection of the Commissioner or any inspection officer. During this inspection, documents such as consent and notice forms may be requested, as well as the list of third-party disclosure or any other documentation evidencing compliance with standards issued by the Commissioner, or any other information that the Commissioner may request.
Other powers include, among other things, the power to designate data user forums, issue and register codes of practice, carry out investigations on receipt of complaints, serve enforcement notices, and authorize officers to take enforcement actions.
Data controller: The PDPA defines 'data user', which is the equivalent of a 'data controller' as a person who either alone, jointly, or in common with other persons, processes any personal data or has control over, or authorizes the processing of any personal data, but does not include a data processor.
Data processor: A data processor under the PDPA means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of their own purposes.
Personal data: Three conditions must be fulfilled in order for data to be considered as personal data under the PDPA, namely:
In respect of the first condition, 'commercial transactions' are defined under the PDPA as transactions of a commercial nature and include any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance. It is currently unclear whether an employment relationship is considered to be a commercial transaction and whether employment-related information would come under the scope of the PDPA. The definition of 'personal data' appears to be sufficiently wide to cover the usual types of personal information collected in day-to-day transactions, for example, name, address, telephone number, email address, banking details, and photographs.
Sensitive data: Sensitive personal data under the PDPA includes any personal data consisting of information as to the physical or mental health or condition of a data subject, their political opinions, their religious beliefs or other beliefs of a similar nature, the commission or alleged commission by them of any offense or any other personal data as the Minister may determine by order published in the Gazette. The obligations imposed by the PDPA in respect of sensitive personal data are more stringent.
Health data: 'Health data' is not specifically defined under the PDPA but such data would fall within the scope of 'sensitive personal data' as it consists of information as to the 'physical or mental health or condition of a data subject.'
Biometric data: There are currently no express provisions or guidance in the PDPA on 'biometric data'. However, such data could fall within the scope of 'sensitive personal data' as it consists of information regarding the 'physical condition of the data subject.'
Pseudonymization: There is currently no express provisions or guidance in the PDPA on 'pseudonymisation.'
Data subject: The PDPA defines 'data subject' as an individual who is the subject of personal data.
General principle
The 'General Principle' prohibits a data user from processing personal data without the consent of a data subject. However, a data user is not required to comply with this requirement where the processing is necessary for:
Please see the section above on legal bases.
Please see the section above on legal bases.
Please see the section above on legal bases.
Please see the section above on legal bases.
There are no exemptions from consent for the data processing carried out in public interests in general, but there are exemptions such as for public interest in freedom of expression, i.e. where the data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest.
The concept of 'legitimate interests' does not feature under Malaysian data protection laws.
A data user is required to comply with the seven personal data protection principles.
General principle
Further to the section on legal bases above, the General Principle also sets out certain parameters for the processing of personal data. It provides that personal data shall not be processed unless:
The 2013 Regulations stipulate that consent must be recorded and must be properly kept by data users. The requirement to record consent implies that consent should be sought expressly or by way of opt-in methods, as arguably consent cannot be recorded where it is implied or where an opt-out method is used. Further, it is pertinent to note that the 2013 Regulations stipulate that the onus to prove consent is on the data user. The 2013 Regulations also state that when consent is required, the requirement to obtain consent shall be presented as distinguishable in its appearance from other matters. Where personal data relates to a data subject under 18 years of age, consent must be sought from the parent, guardian, or person who has parental responsibility of the data subject.
Notice and choice principle
This principle requires a data user to inform a data subject of various matters relating to the information of the data subject, which is being processed by, or on behalf of that data user.
The PDPA requires a data user to inform a data subject by written notice of the following, in both the national language, Malay, and English:
Notice of the above has to be given by the data user 'as soon as practicable', that is, when the data user first requests the personal data from the data subject, when the data user first collects the personal data of the data subject, or before the data user uses it for a purpose other than the original purpose or discloses it to a third party. The data subject must also be provided with a clear and readily accessible means to exercise their choice, where necessary, in both Malay and English.
The Guide to preparing a PDP notice provides that 'PDP Notice must be written in dual language; the national language and the English language. If there is any need to prepare the PDP Notice in other languages, you may do so.' 'Any need' is considered it to be a general term to indicate that if a data user has any other need to have the notice in other languages (i.e. if data subjects such as customers or employees are largely speakers of other languages), then they may offer the PDP Notice in other languages. Furthermore, the mention of 'other language' in the Guide to preparing a PDP notice refers to languages other than English and the national language (Malay).
Disclosure principle
This principle prohibits a data user from disclosing the personal data of a data subject:
However, disclosure of personal data is permitted where:
The 2013 Regulations stipulate that a list of third-party disclosures must also be kept by the data user, and such a list may be requested by the Commissioner or inspecting officer during an inspection.
Security principle
This principle imposes an obligation on a data user to adopt specified measures to protect personal data from loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction, during its processing. Where the data processing is carried out by a data processor on behalf of a data user, the data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.
Under the PDPA, it is stipulated that the following factors must be taken into account:
According to the 2013 Regulations, a security policy has to be formulated by the data user. A brief overview of the security standards prescribed by the 2015 Standards is as follows:
In respect of non-electronically processed personal data, a data user must:
Retention principle
This principle provides that personal data must not be retained longer than is necessary for the fulfillment of the purpose for which it is processed and requires the data user to destroy or permanently delete all personal data which is no longer required for the purpose for which it was processed. However, under other laws, there may be minimum data retention periods, which may be specified, for example, under certain tax laws. It would appear unlikely that the retention of data in compliance with retention periods stipulated under other laws would be considered a contravention of this principle, though this has not yet been tested.
A brief overview of the retention standards prescribed by the 2015 Standards is as follows:
Data integrity principle
This principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
A brief overview of the data integrity standards prescribed by the 2015 Standards are as follows:
The provisions under the PDPA generally concern data users directly and not data processors. However, data users are in certain cases required to contractually bind data processors to ensure compliance with the PDPA.
The Order and the Order Amendment set out the classes of data users who have to be registered with the Commission.
The sectors which have been specified are:
It appears that for the most part, licensees under the relevant sectors are the data users, who have to be registered. Under the PDPA, a data user who falls within the prescribed classes is required to register itself within three months of the coming into force of the PDPA, although in practice, late registrations are still being accepted subject to such registrations being accompanied by a letter of explanation outlining the reason for late registration. The registration of data users can be completed on the PDP's website. The Minister may also require data user forums to be established and codes of practice to be prepared.
A data user who belongs to two or more classes of data users must make an application for registration separately for each class to which the data user belongs (Section 3(2) of the Registration Regulation).
The Commissioner will consider applications and then either issue a certificate of registration, refuse the application, or issue a certificate subject to conditions and/or restrictions on data processing (Section 16(1) and (2) of the PDPA).
An application for registration by a data user under Section 15 of the PDPA must be accompanied by a registration fee ranging from MYR 100 to MYR 400 (approx. $20 to $80), as specified in the Schedule of the Registration Regulation, as well as the following documents (Section 3(1) of the Registration Regulation):
Once issued, the certificate of registration is valid for a period of not less than 12 months from the date on which the certificate of registration is issued, unless it is revoked earlier (Section 4 of the Registration Regulation).
A data user should also notify the PDP of any changes to the particulars in his certificate of registration, which include the documents relating to the applicable classes of data users and the company's status as a public or private entity (Sections 3 and 6 of the Registration Regulation).
An application for renewal of a certificate of registration must be accompanied by the fee for renewal as specified in the Schedule of the Registration Regulation, which ranges from MYR 100 to MYR 400 (approx. $20 to $80) (Section 5 of the Registration Regulation).
In addition, Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (the Public Consultation Paper) issued by the PDP contains points for consultation regarding registration requirements with the PDP. Specifically, the Public Consultation Paper considers:
Furthermore, the data user is obliged to display a copy of the certificate of registration and any amendment to the same at the principal place of business, as well as a certified copy of the certificate of registration for each branch, where applicable (Section 8 of the PDPA).
The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country, which has been specified and recorded in the Official Gazette by the Minister.
Currently, no countries have been specified officially. Notwithstanding the prohibition on transfers of personal data out of the country, the PDPA sets out a number of exceptions to the prohibition, such as where the consent of the data subject has been obtained for such transfer and where the transfer is necessary for the performance of a contract between the parties. When in doubt as to whether the exemptions on data transfer apply, the prudent approach would be to obtain consent from the data subject in respect of such out of Malaysia transfer. In relation to outsourcing, a data user is not allowed to share data with third parties unless the consent of the individual has been obtained.
A data user must keep and maintain a record of any application, notice, request, or any other information relating to personal data processed by them in the form and manner that may be determined by the Commissioner.
The personal data system must also be open for inspection and the Commissioner or inspection officer may require certain documents to be produced, including inter alia records of consent and notice, lists of disclosures to third parties, and the security policy. Other laws may also prescribe record-keeping requirements, e.g. tax law.
There is no requirement to conduct a Data Protection Impact Assessment ('DPIA') under the PDPA.
The PDPA does not mandate the appointment of a data protection officer ('DPO'), but the application form for registration of data users requires a 'compliance person' to be named which is indicated as the individual who will 'supervise the application of the PDPA' in the data user's organization. A proposal paper titled 'Guidelines on Compliance with Personal Data Protection 2010' seeking to introduce the designation of such officer was issued in 2014, but until it is gazetted as law, its status remains unclear.
In addition, the PDP outlined in Section 3 of the Public Consultation Paper that it is considering the addition of a new provision in the Act to make it obligatory for a data user to appoint a DPO, and to issue a guideline on the mechanism of having a DPO.
The PDPA does not currently provide for this, but the authorities have issued a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification which seeks to introduce a data breach notification regime, where data users will be required to notify regulators and affected individuals in the event of a data breach. The consultation paper sets out, among others, the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident and to provide details about the data at risk, actions that have been taken or will be taken to mitigate the risks to the data, details of notifications to affected individuals, and details of the organization's training programs on data protection. However, the consultation paper has yet to be gazetted as law.
While it is not a mandatory requirement under the PDPA, data breach notification to the Commissioner can be done online here. Information required includes particulars of data user and the person giving the notification, details of the data breach, containment and recovery, and notifications made to other parties (regulators and law enforcement agencies, affected parties, data processors, or other overseas data protection authorities).
Sectoral
While there is no general obligation to report a personal data breach to either individuals or the PDP under the PDPA, there appear to be various reporting obligations imposed by different regulators and authorities that have jurisdiction depending on the specific facts of each case.
As such, whether there is a requirement for notification of data breaches is largely fact-specific and may depend on various factors including the types of services carried out, the entity concerned, and the level of severity of the breach. It is also not uncommon for regulators and authorities to have directives or guidelines which are internal or issued directly to the industry meaning that the public does not have access to them.
Health sector
In the health sector, there are general reporting obligations which are not specific to the notification of data breaches but may be relevant. For instance, Section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director-General or any person authorized on that behalf, such unforeseeable and unanticipated incidents as may be prescribed.
Financial sector
In the financial sector, depending on the facts of the case, various reporting obligations imposed by regulators and authorities may be triggered which may or may not relate to data breaches. For instance, under the Guidelines on Internet Insurance published by the Central Bank of Malaysia (BNM), licensed insurers that carry out internet insurance activities are required to report material security breaches, system downtime, and degradation in system performance that critically affects the insurer to the BNM.
The BNM has also issued the Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorized access, modification, or disclosure by whatever means of customer information. There is also a template attached to the guidance document for reporting a customer information breach.
Under the Guidelines on Data Management and Management Information System (MIS) Framework published by the BNM, boards of licensed financial institutions are required to inform the BNM of any developments that may have a material bearing on the institution's operations, risk profile, or financial condition. Public listed companies are also subject to the Listing Requirements issued by Bursa Malaysia where listed issuers are required to disclose to the public immediately all material information necessary for informed investing.
Where capital market entities are concerned, the Guidelines on Management of Cyber Risk published by the Securities Commission of Malaysia (SC) requires all such entities to report to the SC any detection of a cyber incident that may or has had an impact on the information assets or systems of the entity, on the day of the occurrence of the incident. Therefore, whether there are notifications of data breach requirements largely depends on the specific facts and circumstances of each case. However, under the Financial Services Act 2013 (FSA), protection is conferred upon those who disclose in good faith to the BNM their knowledge, belief, or any document or information that a breach of contravention has been committed or is about to be committed under the FSA.
In addition to the retention principle under the PDPA, as highlighted in the section on principles above, the 2015 Standards outline three main standards, security, retention, and data integrity, which apply to personal data which is processed either electronically or non-electronically.
A brief overview of the measures prescribed by the 2015 Standards are as follows:
Under the PDPA, children (minors under the age of 18) cannot provide consent to the processing of their personal data. Where a minor's personal data is involved, the 2013 Regulations require that consent be obtained from the parent, guardian, or person who has parental responsibility for the minor.
'Criminal conviction data' is considered as 'sensitive personal data' under the PDPA.
Processing 'sensitive personal data' requires explicit consent unless an exemption applies. Some examples are where the processing relates to information that has been made public as a result of steps deliberately taken by the data subject or where the processing is necessary:
Where the processing of personal data is carried out by a data processor on behalf of a data user, the PDPA for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction, requires the data user to ensure that the data processor:
Additionally, the security principle requires data users to enter into contracts with data processors with respect to any data processing.
In addition to the obligations placed on a data user, the PDPA also confers the following rights on a data subject (which are further explained below):
Some of the rights mentioned above are further qualified by the provisions in the PDPA. In respect of the right of a data subject to prevent processing for direct marketing purposes, the PDPA stipulates that a data subject may, at any time by notice in writing to a data user, require the data user to cease or not to begin processing their personal data for purposes of direct marketing. Direct marketing is defined under the PDPA as 'communication by whatever means of any advertising or marketing material, which is directed to particular individuals'.
In the event the data subject is dissatisfied with the data user's failure to comply with the notice to cease processing for direct marketing, the data subject may submit an application to the Commissioner to require the data user to comply with the notice. It is pertinent to note that if a data user fails to comply with the requirements of the Commissioner they would be committing an offense under the PDPA, which attracts a fine of up to MYR 200,000 (approx. $42,370), imprisonment for a term not exceeding two years, or both.
As of January 11, 2015, a data subject who believes that there has been a misuse of their data by an individual or an organization may lodge a complaint online on the Commissioner's website (accessible here) in order for the necessary investigation to be carried out.
Please see the explanation under the notice and choice principle under the section on principles above.
A data subject has a right of access to their own data and to correct the same if it is inaccurate, incomplete, misleading, or outdated, subject to certain conditions. Certain prescribed procedures have been set out where access or correction is requested by the data subject (i.e., whether the data subject requires a copy of the personal data, the data user must acknowledge receipt of the request). The 2013 Regulations also set out the information which may be requested by a data user when processing an access request.
The terminology under the PDPA is 'right to correction', which has been addressed under the section on the right of access above.
There are no express rights of erasure under the PDPA.
Under the PDPA, a data subject has the following rights to object/opt-out:
Right to withdraw consent: A data subject can withdraw consent for the processing of their personal data at any time by way of written notice.
Right to prevent processing where likely to cause damage or distress: A data subject may by written notice require a data user to cease or not begin processing personal data for a specified purpose or in a specified manner if:
There are no express rights to data portability under the PDPA.
This right does not feature under Malaysian data protection laws.
Failure to comply with the provisions of the PDPA may amount to a criminal offense. Breaching any of the seven data protection principles attracts a fine of up to MYR 300,000 (approx. $63,550) and/or two years imprisonment. The unlawful collection, disclosure, and sale of personal data attracts a fine of up to MYR 500,000 (approx. $105,930) and/or up to three years imprisonment.
If a corporate body is found to have committed an offense, the officers of such corporate bodies are deemed to have committed the offense personally. However, the officer(s) of such corporate body may not be found to have committed the offense if they can prove the offense was committed without their knowledge or consent and they had taken all reasonable precautions and exercised due diligence to prevent the commission of the offense.
The Compounding of Offences Regulations came into operation on March 15, 2016, and provides that certain offenses may be compounded with the consent of the Public Prosecutor in the form and manner prescribed. The offenses prescribed thus far relate to certain offenses under the PDPA, the 2013 Regulations, and the Registration Regulation.
The Annual Report 2021 released by the PDP (only available in Malay here) provides the statistics of inspections carried out pursuant to Sections 101 and 48 of the PDPA. The report shows that inspections were carried out across various sectors including communications, education, health, property, and tourism sectors. The report also shows that inspections were also carried out on organizations that do not fall within the classes of data users under the Order.
Apart from inspections and audits, as noted above, the PDP has been taking enforcement actions against non-compliance, and it is expected that the PDP will continue to increase efforts in respect of such enforcement actions.
On March 18, 2019, the then MCM Minister announced that the Government is currently reviewing the PDPA to ensure it is in line with global developments. The MCD is keen to incorporate key points of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) into the PDPA. Among the areas being looked at by the MCD are cross-border data transfers, data breach notifications, and whether the Government should be exempted from the PDPA.
As part of an ongoing review of the PDPA, the Commissioner has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 dated February 14, 2020, to seek the views and comments of the public on 22 issues. Some of the issues for which feedback is sought include an extension of obligations to data processors, data portability, the appointment of a DPO, the reporting of data breaches, and the establishment of a right to commence civil litigation against data users.
Further to the above, based on statements made by the MCD Minister, we understand that the five key areas that are the focus of the amendments are as follows:-
Based on news reports, the draft amendment to the PDPA is expected to be tabled at the Dewan Rakyat (House of Representatives) sitting in 2024.